Tuesday, December 26th 2017
DARPA Believes the Future of Security to be in Additional Processing Hardware
DARPA seems to be taking to heart engineer and cyber-security experts' opinions that hardware-based security would be the best security. The Defense Advanced Research Agency (DARPA), which has appeared in every other sci-fi war movie, has started its System Security Integrated through Hardware and Firmware (SSITH) program, with an initial kick worth $3.6 million to the University of Michigan. The objective? To develop "unhackable" systems, with hardware-based security solutions that become impervious to most software exploits.
Electrical Engineering and Computer Science (EECS) of the University of Michigan Professor Todd Austin, lead researcher on the project, says his team's approach, currently code-named Morpheus, achieves hack-proof hardware by "changing the internal codes once a second". Austin likens Morpheus' defenses to requiring a would-be attacker to solve a new Rubik's Cube every second to crack the chip's security. In this way, the architecture should provide the maximum possible protection against intrusions, including hacks that exploit zero-day vulnerabilities, or those that cybersecurity experts have yet to discover. Morpheus thereby provides a future-proof solution, Austin said. "This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software," SSITH program manager Linton Salmon of the Agency's Microsystems Technology Office.This approach is a far cry from the usual "patch and pray" philosophy: "To break this cycle and thwart both today's and tomorrow's software attacks, the SSITH program challenges researchers to design security directly at the hardware architecture level," said Salmon. "Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today's software attacks."
The final Morpheus hardware will actually be a hardware version of the Morpheus algorithm that the University of Michigan has already developed, and bases its security chops by constantly changing the location of the protective firmware with hardware - hardware that also constantly scrambles the location of stored, encrypted passwords. A solution that's already being employed in software as of today; however, Austin believes that moving software efforts to a hardware-based solution can eliminate all classes of known vulnerabilities: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection.Austin said that Morpheus will provide a future-proof solution for cybersecurity, though it's uncertain whether or not this confidence applies to the advent of quantum computing. Whether or not a hardware-solution based on conventional physics is enough to stop a quantum-based computer still remains contested in the field, but DARPA, and the University of Michigan, seem to have their ideas on the subject.
Sources:
DARPA, EETimes
Electrical Engineering and Computer Science (EECS) of the University of Michigan Professor Todd Austin, lead researcher on the project, says his team's approach, currently code-named Morpheus, achieves hack-proof hardware by "changing the internal codes once a second". Austin likens Morpheus' defenses to requiring a would-be attacker to solve a new Rubik's Cube every second to crack the chip's security. In this way, the architecture should provide the maximum possible protection against intrusions, including hacks that exploit zero-day vulnerabilities, or those that cybersecurity experts have yet to discover. Morpheus thereby provides a future-proof solution, Austin said. "This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software," SSITH program manager Linton Salmon of the Agency's Microsystems Technology Office.This approach is a far cry from the usual "patch and pray" philosophy: "To break this cycle and thwart both today's and tomorrow's software attacks, the SSITH program challenges researchers to design security directly at the hardware architecture level," said Salmon. "Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today's software attacks."
The final Morpheus hardware will actually be a hardware version of the Morpheus algorithm that the University of Michigan has already developed, and bases its security chops by constantly changing the location of the protective firmware with hardware - hardware that also constantly scrambles the location of stored, encrypted passwords. A solution that's already being employed in software as of today; however, Austin believes that moving software efforts to a hardware-based solution can eliminate all classes of known vulnerabilities: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection.Austin said that Morpheus will provide a future-proof solution for cybersecurity, though it's uncertain whether or not this confidence applies to the advent of quantum computing. Whether or not a hardware-solution based on conventional physics is enough to stop a quantum-based computer still remains contested in the field, but DARPA, and the University of Michigan, seem to have their ideas on the subject.
6 Comments on DARPA Believes the Future of Security to be in Additional Processing Hardware
The real future of data security is, ironically, in the past. Data systems of critical concern need to be taken offline permanently and the feed and reteival information completely manual after strict vetting.
Allegations like "provides a future-proof solution" must always be said to secure funding, but have been rendered null since forever because such is the nature of technology (be it security or feature-wise).
It might provide some level of novel security over what exists right now, be government approved and whatever, but not making it air-gapped alone makes it fully vulnerable, for example.
Also, no software patching means hardware revisions and field replacements. I'm sure the USA's government (or any other) funding can take care of that... :rolleyes:
Unless they fully release the ASIC hardwares FPGA source, I won't trust it. And even then, I'm skeptical that's what's getting put in the chip.